That troublemaker again (replace domain logons =, domain master=)
Andrew Bartlett
abartlet at pcug.org.au
Mon Nov 12 06:27:05 GMT 2001
"Gerald (Jerry) Carter" wrote:
>
> On Mon, 12 Nov 2001, Simo Sorce wrote:
>
> > It is much more easier to understand the andrew's table than the
> > domain master/logons combination from an administrator point of view.
> > Sure black belts in smb.conf would find it easy, but having parameters
> > the clearly states what samba will be are more understandable. and yes
> > DMB is not so usefull but is here to provide you a way to use any
> > combination of the two parameters (to avoid loss in configurability).
> >
> > We discussed this with volker at CIFS too and I'm for this change,
> > much more clear IMHO.
>
> I disagree. It is simply an alternative representation. Why not
> simply have documentation which presents this chart? Removing
> the "security" parameter will break all existing
> documentation, configuration files, and third party tools.
> Not to mention making sysadmins relearn how to configure Samba.
>
> For what? A chart that may or may not be clearer to admins?
> The payoff is debateable and not big enough.
As you will see in my other e-mail, the problem is not at the security=
end of things. At that end, I don't really care if we continue to have
'secruity=domain' and 'secruity=server' parameters that just set sane
defaults for 'auth order'.
However, there is a problem on the nmbd side of things. Normally I
simply don't care about nmbd, but nmbd is blocking my changes....
The problem is that without looking at 'security =' nmbd is unable to
correctly list itself as an NT PDC/BDC/Domain member/standalone. As
such I proposed to tell nmbd directly (server role =), and (as a further
addition, not actually required) to force the value of two existing
paramaters 'domain logons =' and 'domain master =' to their only
possible values in this situation.
The chart (showing how we get server role at present) is as follows:
Domain Master Domain Logons Security
Y Y USER = PDC
N N DOMAIN = BDC
N N SERVER = BDC
N N DOMAIN = DOMAIN MEM
N N USER = STANDALONE
* * SHARE = STANDALONE
Not in particular that it is quite possible to construct a BDC without
using secuirty=server/domain, but we can't advertise this with the
current crippled arrangement.
I hope this makes the dependency on security= clearer, and therefore why
we need 'server role' to specify this explicitly.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list